|
|
|
|
|
|
by handrous
1740 days ago
|
|
|
JavaScript's a massive security threat. It's really weird to me that people seem to just assume it's fine, and isn't the most dangerous damn thing in common use on computers. Every time someone (usually Google) pushes another way for it to touch hardware, I'm surprised that most developers are like "oh good, so glad, can't wait 'till Safari catches up in 5 years". Um... no? It's a terrible idea? Please don't ever? We ought to be reigning in what JS can do and removing access, not adding more. For one thing, it shouldn't be able to send data without our say-so. It's insecure and spying-enabling by design—why does clicking a link mean the page that loads gets to send my mouse movements and keystrokes to its master? That's crazy, and has been a major contributor to the new norm that all kinds of privacy-invasion is fine. "It's just 'telemetry', what's the big deal?" Ugh. "That's alarmist, JS is super secure" right, and most folks weren't worried about their CPUs betraying them until Meltdown and Spectre—smart money says there is a vulnerability we'll find shocking in one or more JavaScript implementations, right now, waiting to screw us. |
|
|
https://www.vusec.net/projects/smash/